Oracle Virtual Directory provides the ability to regulate items such as the number of entries the server can return for an anonymous user or for an authenticated user. You can also limit inbound transaction traffic to protect proxied sources from Denial Of Service attacks or to limit LDAP traffic to control access to a limited directory infrastructure resource. You can configure these properties and others on the Oracle Virtual Directory Server Properties page in Oracle Enterprise Manager Fusion Middleware Control.

There are two tabs on the Server Properties screen: General and Change SuperUser Password. The General tab contains options to configure general server properties, such as quotas on activity limits, search settings, and schema and access control checks. You can use the Change SuperUser Password tab to change the password for the Oracle Virtual Directory superuser.

The following are the procedures to configure the properties on each tab:

Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target on which you want to configure the server settings.

Enable quota enforcement on the server by selecting the Enable Quota Enforcement option and entering the following information:

Note:

You must select the Enable Quota Enforcement option to configure the Activity Limits parameters.

Enter the maximum number of client connections to allow in the Maximum Client Connections field.

Enter the maximum number of operations to allow for each connection in the Maximum Operations per Connection field.

Enter the maximum number of connections to allow for each authenticated subject in the Maximum Connections per Authenticated Subject field.

Enter the maximum number of connections to allow for each IP address connected to Oracle Virtual Directory in the Maximum Connections per IP Address field.

Enter the maximum length of time (in minutes) that a client connection can remain inactive before Oracle Virtual Directory closes the connection in the Maximum time period (minutes) field.

Add or delete IP addresses that are exempt from the quota checking in the Exempt IP addresses field. To add an IP address, enter the IP address in the Exempt IP Addresses field. To delete an IP address, select the IP address in the Exempt IP Addresses field and delete it.

Note:

Oracle Virtual Directory 11g Release 1 (11.1.1) supports IPv6. If your network supports IPv6 you can use literal IPv6 addresses in the Exempt IP Addresses field to identify IP addresses that are exempt from quota enforcement.

Add or delete subjects that are exempt from the quota checking in the Exempt Subjects field. To add a subject, enter the subject in the Exempt IP Subjects field. To delete a subject, select the subject in the Exempt IP Subjects field and delete it.

Enter the maximum number of entries to return for an anonymous client search in the Anonymous Search field. The default setting is 1000.

Enter the maximum number of entries to return for an authenticated user in the Authenticated User Search field. An authenticated user is defined as a user bound to Oracle Virtual Directory. The Oracle Virtual Directory root account is exempt from this quota and the default setting is 10,000.

Select the Enable Access Control Check option to enable Oracle Virtual Directory to enforce access controls as defined in the access control file.

Select the Enable Persistent Search option to enable Oracle Virtual Directory to support the persistent search control regardless of the adapters configured.

Select the Enable Schema Check option to enable Oracle Virtual Directory to check LDAP entries for conformance against the schema definitions contained in the files listed in the Schema Locations field.

Oracle suggests disabling the Enable Schema Check option only when an external method for schema checking will be used.

If the Enable Schema Check option is selected, Oracle Virtual Directory uses the files that are listed in the Schema Locations field to verify that LDAP entries conform to schema definitions. Use this field to identify the files Oracle Virtual Directory uses to define its schema.

Each file is applied in descending order from top to bottom, with each file overriding the previous one when conflicts occur. Typically, the last file identified is schema.user.xml. Any and all changes to schema are applied to the schema.user.xml file to ensure standard files, such as schema.core.xml, remain unchanged between releases, but can also be virtually modified by having the changes in schema.user.xml override default-shipped schema in schema.core.xml.

If you are installing a manufacturer supplied schema (in DSML form), identify this file in the second to last file in the list of schema files. This protects the distributed manufacturer file from modification while allowing local customization, which is then stored in schema.user.xml.

The following is a list of the default schema files:

schema.core.xml

schema.cosine.xml

schema.inetorgperson.xml

schema.nis.xml

schema.dyngroup.xml

schema.java.xml

schema.diameter.xml

schema.eus.xml

schema.user.xml

Use the TLS Configuration section to:

Read the names of the adapter keystore and truststore. You cannot configure these values using Oracle Enterprise Manager Fusion Middleware Control.

Click the Server Settings entry in the Advanced navigation tree. The Server Settings entry expands and the Settings, Quotas, and Adapter SSL Settings groups appear in the navigation tree.

Click the group you want to configure. The following tables describe each setting in each group.

Note:

After configuring the appropriate setting, click Apply in the main Oracle Directory Services Manager screen to save the settings to the Oracle Virtual Directory server.

Table 9-1 Configuration Parameters for Settings Group in ODSM

Category

Setting

Description

Schema

Schema Files

Use the Schema Files section to identify the files Oracle Virtual Directory uses to define its schema. The Available Files field lists all available schema files that contain schema definitions. The Selected Files field lists the files that Oracle Virtual Directory uses to verify that LDAP entries conform to schema definitions. Oracle Virtual Directory verifies LDAP entries against the files listed in the Selected Files field only when the Enable Schema Checking option is selected. To move files between the Available Files and Selected Files fields, select one or more files, then use the appropriate Move or Remove arrow buttons to move the file.

Oracle Virtual Directory verifies LDAP entries against the files in the Selected Files field in the sequence, or order, in which they appear in the field. Each file is used for verification in descending order from top to bottom, with each file overriding the previous one when conflicts occur. You can change the sequence, or order, in which the files are used for verification by selecting a file name in the Selected Files field and then using the up and down arrow buttons to the right of the Selected Files field to change the order.

Typically, the last file identified is schema.user.xml. Any and all changes to schema are applied to the schema.user.xml file to ensure standard files, such as schema.core.xml, remain unchanged between releases, but can also be virtually modified by having the changes in schema.user.xml override default-shipped schema in schema.core.xml.

If you are installing a manufacturer supplied schema (in DSML form), identify this file in the second to last file in the list of schema files. This protects the distributed manufacturer file from modification while allowing local customization, which is then stored in schema.user.xml.

The following is a list of the default schema files:

schema.core.xml

schema.cosine.xml

schema.inetorgperson.xml

schema.nis.xml

schema.dyngroup.xml

schema.java.xml

schema.diameter.xml

schema.eus.xml

schema.user.xml

Enable Schema Checking

Select the Enable Schema Check option to enable Oracle Virtual Directory to check LDAP entries for conformance against the schema definitions contained in the files listed in the Schema Files section. Oracle suggests disabling the Enable Schema Check option only when an external method of schema checking will be used.

Access Control

Enable Access Control

Select the Enable Access Control option to enable Oracle Virtual Directory to enforce access controls as defined in the access control file.

Enables you to relocate the Oracle Virtual Directory Root DSE entry (base="") to another location in the virtual directory tree.

Relocating the DSE is most commonly performed when you must proxy another server's root entry to replace Oracle Virtual Directory's root entry, usually when you want to make Oracle Virtual Directory appear to be another directory server. This can be useful when the application is making assumptions about the directory.

After Oracle Virtual Directory's root entry is renamed from "", you can replace it by creating an LDAP Adapter with a remote base of "" and setting the local root as "". If you do this, you should also set Routing Levels to 0 for the LDAP Adapter so that Oracle Virtual Directory only tries to query the Root Entry of the remote server specifically when its root is queried. If you do not set Routing Levels to 0, the remote server receives queries for all requests received by Oracle Virtual Directory.

Control

Persistent Search Control

Enables or disables Oracle Virtual Directory to support the persistent search control regardless of the adapters configured.

Server Security

Admin Group URL

Enter the valid LDAP Admin Group URL used to connect to the Oracle Directory Services Manager Admin port. All users who match this URL can connect to the Admin port to manage Oracle Virtual Directory. configuration after restarting the Oracle Virtual Directory server.

Table 9-2 Configuration Parameters for Quotas Group in ODSM

Category

Setting

Description

Search Limits

Anonymous

Enter the maximum number of entries to return for an anonymous client search. The default setting is 1000.

Authenticated

Enter the maximum number of entries to return for an authenticated user. An authenticated user is defined as a user bound to Oracle Virtual Directory. The Oracle Virtual Directory root account is exempt from this quota and the default setting is 10,000.

Activity Limits

Enforce Quotas

Enables or disables quota enforcement on the Oracle Virtual Directory server. You must enable the Enforce Quota option to configure the Activity Limits parameters.

Rate

Determines the time durations (in milliseconds) of quota enforcement. For example, if you set Rate to 50000, the quotas are enforced for 50 seconds. After 50 seconds expires, the "count" of quota settings starts over at 0 and the quotas are enforced for another 50 second duration. The default value is 30000, or 30 seconds.

Max Connections

Enter the maximum number of client connections to allow.

Max Ops/Con

Enter the maximum number of operations to allow for each connection.

Max Cons/Subject

Enter the maximum number of connections to allow for each authenticated subject.

Max Cons/IP Address

Enter the maximum number of connections to allow for each IP address connected to Oracle Virtual Directory.

Inactive Connection Timeout

Enter the maximum length of time (in minutes) that a client connection can remain inactive before Oracle Virtual Directory closes the connection.

Exempt Subjects

Add or delete subjects that are exempt from the quota enforcement. By default, users who have Oracle Directory Services Manager Administrator access (typically cn=orcladmin) are exempt from quota enforcement.

Exempt IP Address

Add or delete IP addresses that are exempt from the quota enforcement.

Lists the existing Java certificate aliases. Select an alias from the list to see its certificate details in the Selected Certificate Details table. This Adapter Key Alias control is for informational purposes only—it does not write any data.

Selected Certificate Details

Displays details about the Java certificate for the alias identified in the Adapter Key Alias list.

9.3 Configuring Oracle Virtual Directory Server Settings Using WLST

You can use the WebLogic Scripting Tool (WLST) at ORACLE_COMMON_HOME/common/bin/wlst.sh to set Oracle Virtual Directory server settings as follows:

Connect to the WebLogic Admin Server. For example:

connect('username', 'password','t3://host_name:Admin_Server_Port')

Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:

Using the WLST ls() command, you can see a list of attributes for the Oracle Virtual Directory server configuration MBean. Use the get('ATTRIBUTE_NAME') command to retrieve the current value for an attribute. For example, to retrieve the current value for MaxConnections, which is the maximum number of client connections to allow, execute the following:

get('MaxConnections')

Use the set() command to update an attribute. For example, to update the value for the MaxConnections setting, execute the following:

set('MaxConnections', 3000)

Note:

Using the set() command as shown in the preceding example saves the attribute setting to the MBean—you must perform step 5 in this procedure to save the changes to the Oracle Virtual Directory server.

The following is a list of each Oracle Virtual Directory server configuration MBean attribute and an example command for setting them:

The -Xmx parameter in the opmn.xml file controls the maximum heap size allocated to the Oracle Virtual Directory server. The default value is -Xmx256m. Edit this parameter as needed to increase or decrease the maximum heap size allocated to the Oracle Virtual Directory server. The opmn.xml file is located in the ORACLE_INSTANCE/config/OPMN/opmn/ directory.

The following example shows the -Xmx parameter set to -Xmx2048m, which allocates 2 GB of heap size to the Oracle Virtual Directory Server:

Oracle Virtual Directory supports two parameters that help detect and safely close orphan socket connections caused by remote client or server failure. These parameters help if applications or directory sources are on different networks—in particular, outside of the same data-center—than Oracle Virtual Directory and the network is unstable.

Set each parameter to the amount of time in seconds that TCP should wait for a response from the client or server. The status and stability of your network influence which parameters you set and also the amount of time you set. In an unstable network, you may want to set these parameters to a greater number of seconds than you would in a stable network environment.

Note:

If your operating system is reporting several connections in TIME_WAIT status and they do not close for an extended length of time, such as, five minutes or more, it is a good indication to use these parameters to control the orphan connections.

Controlling Orphan Client Connections:

You can use the LDAP Listener's SocketOptionsReadTimeout parameter to control orphan client connections. Use the WLST set() command to set the SocketOptionsReadTimeout parameter. For example:

set('SocketOptionsReadTimeout', 120)

Note:

You must specify the SocketOptionsReadTimeout parameter value in milliseconds.

You can also use Oracle Enterprise Manager Fusion Middleware Control to set this parameter for the LDAP Listener. Refer to the Read Timeout parameter described in "Creating LDAP Listeners" for more information.

Controlling Orphan Server Connections:

You can use the vde.soTimeoutBackend Java Virtual Machine parameter located in the ORACLE_INSTANCE/config/OPMN/opmn/opmn.xml file to control orphan server connections.

To set the vde.soTimeoutBackend parameter, edit opmn.xml and then restart Oracle Virtual Directory.

Note:

You must specify the soTimeoutBackend parameter value in seconds.

The following is an example of the vde.soTimeoutBackend parameter set in the opmn.xml file:

Click the Upload New Library button at the top of the Advanced tree. The Upload New Library dialog box appears.

Enter the path to the library you want to load into Oracle Virtual Directory or click Browse, navigate to the library and select it. Click OK on the Upload New Library dialog box to load the library into Oracle Virtual Directory. The library appears in the Libraries entry of the Advanced tree.

The syncovdconfig command enables you to copy the following Oracle Virtual Directory configuration files between multiple Oracle Virtual Directory components:

server.os_xml

adapters.os_xml

acls.os_xml

schema.user.xml

Using this command helps you avoid performing the same configuration steps (such as creating adapters) on a second Oracle Virtual Directory server.

The syncovdconfig command does not copy the content of the Local Store Adapter; it only duplicates your Oracle Virtual Directory configuration.

Note:

You can use the oidcmprec tool to copy the data inside the Local Store Adapter to a second server, but doing so is a one-time operation. The oidcmprec tool cannot keep the Local Store Adapter's content in-sync, so you must call it whenever the Local Store Adapter content gets modified.

With Enterprise User Security (EUS), the content of the Local Store Adapter gets modified only when

You register or remove a new database using DBCA

You perform any EUS configuration tasks from ESM or EM

Though oidcmprec supports synchronization, it is not a frequent operation. Consequently, Oracle recommends using the oidcmprec tool to synchronize with the second Oracle Virtual Directory server every time you use DBCA.

9.7.1 Options

The following is a list of the options for syncovdconfig:

srcHost

Required. String format. The host name of the source Oracle Virtual Directory server—that is, the Oracle Virtual Directory server that contains the configuration files you want to copy to a different Oracle Virtual Directory server.

srcPort

Required. Integer format. The listening port number of the source Oracle Virtual Directory server—that is, the Oracle Virtual Directory server that contains the configuration files you want to copy to a different Oracle Virtual Directory server.

srcUserName

Optional. String format. The user who has Oracle Directory Services Manager Administrator access to the source Oracle Virtual Directory server—that is, the Oracle Virtual Directory server that contains the configuration files you want to copy to a different Oracle Virtual Directory server. If the srcUserName option is not specified, the default value of cn=orcladmin is used.

dstHost

Required. String format. The host name of the destination Oracle Virtual Directory server—that is, the Oracle Virtual Directory server where you want to copy the configuration files to.

dstPort

Required. Integer format. The listening port number of the destination Oracle Virtual Directory server—that is, the Oracle Virtual Directory server where you want to copy the configuration files to.

dstUserName

Optional. String format. The user with Oracle Directory Services Manager Administrator access to the destination Oracle Virtual Directory server—that is, the Oracle Virtual Directory server where you want to copy the configuration files to. If the dstUserName option is not specified, the default value of cn=orcladmin is used.

configFile

Optional. String format. The name of the configuration file on the source Oracle Virtual Directory server to copy to the destination Oracle Virtual Directory server. You can use the configFile option multiple times in the same command to copy multiple configuration files.

If you do not include the configFile option, the server.os_xml, adapters.os_xml, acls.os_xml, and schema.user.xml files on the source Oracle Virtual Directory server are copied to the destination Oracle Virtual Directory server.

adapterName

Optional. String format. The name of the adapter on the source Oracle Virtual Directory server to copy to the destination Oracle Virtual Directory server. You can use the adapterName option multiple times in the same command to copy multiple adapters.

If you do not include the adapterName option—but you include the configFile option and specify an adapters.os.xml file, you overwrite the adapters.os.xml file on the destination Oracle Virtual Directory server.

Optional. Boolean format. Indicates whether the administrative Listener on the source Oracle Virtual Directory component is SSL enabled. Supported values are true and false. If the isSrcAdminSSL option is not specified, the default value of true is used.

isDstAdminSSL

Optional. Boolean format. Indicates whether the administrative Listener on the destination Oracle Virtual Directory component is SSL enabled. Supported values are true and false. If the isDstAdminSSL option is not specified, the default value of true is used.

9.7.2 Examples

The following are examples of the syncovdconfig command:

To synchronize the server.os_xml, adapters.os_xml, acls.os_xml, and schema.user.xml files between two Oracle Virtual Directory components: